Severe Vulnerabilities reported in in Ray Open Source Framework for AI/ML

published: Nov. 28, 2023

Take action: If you are using Anyscale Ray framework, lock it inside a trusted network. And yet be conscious and communicate that you are still vulnerable to exploits, since an attacker can enter the network through other vectors. The AI systems - especially those that accept arbitrary input are a very big attack footprint, and you need to consider them very carefully.


Learn More

On November 28, 2023, researchers raised concerns about serious security vulnerabilities in Ray, a widely used open source framework designed for scaling artificial intelligence (AI) and machine learning (ML) tasks. These flaws, if exploited, could severely compromise the framework's security, allowing attackers unprecedented access and control.

The vulnerabilities affect versions 2.6.3 and 2.8.0 of the framework.

Anyscale, has not yet taken any action to rectify these vulnerabilities and considers these vulnerabilities irrelevant, arguing that Ray is intended for use in strictly controlled network environments, a stipulation mentioned in their documentation.

Ray, integral to AI and ML operations in various large-scale enterprises, is now under scrutiny for three major, unaddressed security flaws. They pose a significant risk, especially for organizations with Ray instances accessible via the Internet or local networks. If Ray is deployed in cloud environments like AWS, attackers could potentially access privileged IAM credentials.

The security gaps could potentially allow attackers to gain control over the operating system of all nodes in a Ray cluster, execute remote code, and elevate privileges.

  1. CVE-2023-48023: Remote Code Execution (RCE) due to Missing AuthenticationThis vulnerability is classified as a Remote Code Execution (RCE) issue. RCE vulnerabilities allow an attacker to run arbitrary code on a victim's machine from a remote location.

    1. Specific Issue in Ray: In the case of Ray, this particular RCE vulnerability is caused by missing authentication for a critical function within the framework. This means that the system does not adequately verify who is sending a command or accessing a function, allowing unauthorized users to execute commands.
    2. Potential Impact: An attacker could potentially take complete control of all nodes in a Ray cluster. This control might include executing malicious code, manipulating data, or disrupting operations.
  2. CVE-2023-48022: Server-Side Request Forgery (SSRF) in Ray Dashboard API Leading to RCE

    • Nature of Vulnerability: Server-Side Request Forgery (SSRF) is a vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing.
    • Specific Issue in Ray: This vulnerability resides in the Ray Dashboard API. The flaw can be exploited to perform an SSRF attack, which in turn enables Remote Code Execution. This means that an attacker can trick the server into making requests or performing actions on their behalf.
    • Potential Impact: Through this vulnerability, an attacker could manipulate the Ray Dashboard to send requests to internal systems or the internet, potentially accessing or altering sensitive data, or even executing malicious code on the server.
  3. CVE-2023-6021: Insecure Input Validation Enabling Remote Attackers to Execute Malicious Code

    • Nature of Vulnerability: This is related to insecure input validation. Input validation vulnerabilities occur when a system does not properly check or sanitize the data that is input into it, allowing attackers to provide malicious input.
    • Specific Issue in Ray: This vulnerability is due to improper or inadequate validation of input in Ray's components. It allows a remote attacker to provide input that can execute malicious code on the system affected by the vulnerability.
    • Potential Impact: An attacker exploiting this vulnerability can execute arbitrary code on the system where Ray is installed. This could lead to a wide range of malicious activities, such as data theft, system compromise, and further network infiltration.

Anyscale's documentation emphasizes the importance of deploying Ray in controlled network environments, highlighting the framework's expectation of operating in secure networks and handling trusted code. It advises developers to be mindful of this when building applications with Ray.

Severe Vulnerabilities reported in in Ray Open Source Framework for AI/ML